You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

A Piriform web service used by Speccy has been compromised to display a malicious javascript. This was discovered when one of the BC Advisors, keyboardNinja, was using Speccy to look at his network information. When the information was displayed he noticed that the IP address information was preceded by some HTML that would load a javascript from nsa-lab.com, which has no affiliation with the United States National Security Agency. Upon visiting this url, his antivirus detected it as a malicious javascript.

After hearing about it, I downloaded the software and took a look at the network section. I too was being shown the javascript before my IP address. When looking at the network traffic I saw that this was being caused by a compromised script on the Piriform website. This script, hxxp://speccy.piriform.com/ip/, was created to output a visitors public IP address. Somehow it was compromised to also display HTML, that when viewed in a browser, would load a malicious exploit kit from nsa-lab.com. You can see a screen shot of this HTML code in the Speccy interface below:

For most users this compromise won't affect them as Speccy does not render the HTML that would load the malicious script. Those, though, who save their report as an XML file could run into trouble. That is because by default XML files are automatically loaded into the default browser of Windows. Once this report is loaded in the browser, it will see the javascript HTML and execute it. This would cause the javascript from nsa-lab.com to launch in the browser and start an exploit kit that attempts to install malware on the computer via exploits that include Sun Java, Adobe Reader, and Adobe Flash vulnerabilities. When the exploit successfully runs, it will install malware onto your computer that has been detected by VirusTotal as:

I have tried to contact Piriform using the Contact page at their site, but when I submitted the message, I received a 404 error message, as shown below, meaning that the page it was requesting on their site did not exist and thus my message was not sent. Some of the BC staff members though are active on their forums and have passed on the message.

I have also contacted the owners of nsa-lab.com and alerted them to the malicious javascript being hosted on their site.

Hopefully this issue will be resolved quickly as Speccy is an excellent program. For those who are using Speccy, though, please do not save the report as XML and open it in a web browser until this issue has been resolved or you will become infected.

It appears that the developer has resolved this issue. I just wish more developers would not use privacy features on their domains. It makes it much harder to find out how to contact them. Especially when the contact form on their site was broken.

Just checked my own version, seems like its in the clear speccy portable v1.05.183 shows no signs of the issue. Decided to play guinea pig to aid modern science/technology and created/opened XML files via speccy portable. This version seems clear but I'll hold off on upgrading for a while.

@Crazy49er, it was not a flaw or hack in the program itself, but the way the program determines your IP address. Speccy queried http://speccy.piriform.com/ip/, but the Speccy server was compromised to host some malicious javascript.

Problem has been fixed. We're currently performing a full investigation into that server.

Please note that the software is fine and doesn't contain a virus, it's a fault on our Speccy server.